Working repository in context of the bachelor project "Online Marketplace Simulation: A Testbed for Self-Learning Agents" at the research group Enterprise Platform and Integration Concepts
MIT License
3
stars
0
forks
source link
[Docker] translate Docker IDs for additional security #507
Imagine the following situation:
The remote machine where the API is running, runs a docker container with another application (for example a different webserver)
A hacker knows about the API secret, guessed it or somehow got their hands on the secret and is now able to manipulate the machine for at max 2 h.
The hacker does not know any container id of our simulation containers, but they know the container id of the other application running on the same machine.
They could just use this knowledge to kill this machine with our API.
This is a possible attack on our current network infrastructure.
Mitigate it.
Suggestion:
Build a container id translation:
[ ] establish a database table for inserting the actual id into the given fake id (you could use the work previously done im 412-push-notification)
[ ] translate the docker ids bevore returning them to the client: generate a new random id (i.e. uuid4) and add a pre- or suffix to it.
Write the translation to database
[ ] reject all requests that do not fullfill our naming pattern or are not in our new database.
Imagine the following situation: The remote machine where the API is running, runs a docker container with another application (for example a different webserver) A hacker knows about the API secret, guessed it or somehow got their hands on the secret and is now able to manipulate the machine for at max 2 h. The hacker does not know any container id of our simulation containers, but they know the container id of the other application running on the same machine. They could just use this knowledge to kill this machine with our API.
This is a possible attack on our current network infrastructure. Mitigate it.
Suggestion: Build a container id translation: